Schrems Judgment in the Irish Commercial Court Raises Concerns over the “Model Contracts” for Transfer of Personal Data Out of Europe
An Irish High Court ruling may have a significant impact on one of the main mechanisms that global companies use to transfer personal data out of the European Economic Area (“EEA”). The Irish High Court ruled on 3 October 2017 that the Standard Contractual Clauses (“SCCs”) used by companies to transfer data from the EEA to US, also frequently referred to as “Model Contracts,” must be the subject of review by the Court of Justice of the European Union. (more…)
Update on the Legal Challenge to Standard Contractual Clauses
The closely followed case challenging the validity of Standard Contractual Clauses for the transfer of personal data outside the EEA to countries considered not to provide an adequate level of data protection, including the US, is progressing with a hearing coming up February 7th and schedule set for the proceedings, including amicus participation.
European Commission Considering Amendments to Standard Contractual Clauses for International Data Transfers
The European Commission has drafted amendments to the adequacy decisions that underpin the European Union’s Standard Contractual Clauses (“SCCs”) that allow businesses to transfer personal data originating in the European Economic Area (“EEA”) outside of the EEA. While the Commission has not published the full text of its proposals, they may have a significant practical impact on all businesses that rely on SCCs for international data transfers, including to the United States.
Evaluating the Dwindling Privacy Shield Grace Period
Now that we are into September, you may be hearing more about the Privacy Shield for transfers of personal data from the EU to the U.S., and in particular the 9 month “grace period” to fully implement the Privacy Shield for companies that certify within the first two months that the Privacy Shield is available for certification. The Department of Commerce began accepting certifications on August 1, 2016, and so the opportunity to take advantage of the grace period closes on September 30, 2016. This grace period does not, however, absolve companies of the responsibility to implement Privacy Shield principles and substantive obligations upon certification. Rather, it permits companies nine months from the date they certify to the Privacy Shield to negotiate amendments to their third party contracts with all vendors or other business partners that receive personal data from the certifying company.
Privacy Shield Now Available for Certification
From Monday August 1, 2016, companies will be able to self-certify under the EU-US Privacy Shield (www.privacyshield.gov). The Privacy Shield was adopted on July 12, 2016 and is intended as a replacement to the now invalidated Safe Harbor framework. Companies preparing to self-certify their adherence to the Privacy Shield Principles should carefully review the associated documentation to understand the new requirements and consider carrying out a gap analysis against their existing privacy program. This is particularly important given the potential for increased enforcement action from the US Federal Trade Commission against participating companies that fail to comply with the Principles. (more…)
Privacy Shield: Essentially Equivalent
With the final Privacy Shield decision, the European Commission and United States Government have concluded several years of discussion and negotiation concerning the Safe Harbour framework and the new Privacy Shield. The effort and thought by negotiators, EU institutions, and stakeholders alike to reach this point reflect the importance of private life and data protection in EU society and the significance of data flows to transatlantic commerce and discourse. Sidley Senior Counsel Cam Kerry and Sidley Partner Maarten Meulenbelt discuss how the Privacy Shield meets the requirements of EU law and answer criticisms in Privacy Shield: Essentially Equivalent. For more, click here.
Formal Adoption of EU-US Privacy Shield
After many months of negotiation and review the EU-US Privacy Shield was formally adopted by the European Commission on July 12, 2016. This came just a few days after the Article 31 Committee approved the updated text of the EU-US Privacy Shield on July 8, 2016.
Privacy Shield Text Updated
The final text of the much anticipated EU-US Privacy Shield has been sent by the European Commission for review and approval to the Article 31 Committee, which includes representatives from all 28 Member States. Approval by the Article 31 Committee will pave the way for a final decision by the Commission adopting the Privacy Shield, expected on 11 July, 2016. If approved, the Privacy Shield will take effect as soon as the US Department of Commerce establishes a new process for US companies that wish to use the Privacy Shield as a legal basis for data transfers of personal data from the EU to certify in accordance with the new framework. Businesses should examine the final Privacy Shield documents and requirements and determine whether to proceed with certification once the Privacy Shield is approved.
Post-Brexit EU May Be Stranded By Its Own Data Rules
*This article first appeared in Forbes on July 1, 2016.
So now the European Union’s “sceptered isle” has voted to sever its bonds with its continental partners – with the wish that (as described in a Shakespeare passage memorized by every English schoolchild for generations) it can be set off by the sea “against the envy of less happier lands.” The outcome demonstrates the depth of dissatisfaction with a world that has become interconnected.
In the meantime, the EU is facing its own tensions with global interconnectedness that threaten to turn it into a virtual island as it heads further down the path of cutting off the flow of data to “third countries” outside the EU.
Amid news of Brexit, UK ICO seeks to provide reassurance
As the world began to grapple with the implications of the UK’s vote to withdraw from the European Union, or “Brexit,” the UK Information Commissioner has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy.